CCI-003112
CCI-003112 Definition
Status | |
Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; procedures addressing developer continuous monitoring plans; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; developer continuous monitoring plans; security assessment plans; acquisition contracts for the system, system component, or system service; acquisition documentation; solicitation documentation; service level agreements; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for determining system security requirements; system developers; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Vendor processes for continuous monitoring; mechanisms supporting and/or implementing developer continuous monitoring].